OnChain Fog Start Here 中文
Asset Security

Spotting Phishing Links Fast: Six 30-Second Checks

2026-05-29 · 链上迷雾

What makes phishing links nasty isn’t that they look “fake” — it’s that they look almost right. They mimic the official domain by one letter, copy the colour of every button, even clone the support avatar you already trust. But every phishing link shares one weakness: it only works if you click or sign. Those few seconds before your click are the window. The six moves below take under thirty seconds each, and repeating them builds muscle memory.

A magnifying glass over a browser address bar, revealing a hidden Cyrillic character glowing red inside the domain

Move 1: Stare at the address bar first

Before reading the page, look at the URL. Visuals lie. The domain rarely does.

  • Letter-level swaps: binance.com becomes binance.co, binance-com.io, or bınance.com (with a dotless Turkish ı instead of i).
  • Extra subdomain layers: binance.security-check.com — the real owner is security-check.com, not Binance.
  • Hyphens and digits sneaking in: opensea-official.com, metamask-login.net. Official domains tend to be short and clean.
  • Wrong top-level domain: a project you always visit on .com suddenly appears as .io, .xyz, or .app. Treat it as suspicious until proven otherwise.

Build the habit of reading the last two segments of the URL first — xxx.com — then look at what is glued in front. Authenticity lives in the last two segments, not the prefix.

Move 2: Stop trusting the top search result

The link sitting on top of search results, marked “Ad”, is one of the cheapest phishing entry points. Scammers buy keyword ads, push fake homepages above the real ones, and harvest beginners every single day.

  • Never open a wallet or exchange homepage by clicking the ad link.
  • The safe way is to save bookmarks once and click only from there, or to enter from a trusted long-running content site.
  • If you must search, scroll past the ads, then verify the domain.

Fake exchange phishing walks through real cases. The pattern is consistent: victims weren’t reckless, they just hadn’t built the “skip the ad” reflex yet.

Move 3: Hover before you click

Plenty of phishing links live inside emails, DMs, and even PDFs. The visible text and the underlying URL rarely match.

  • On a computer, hover over the link. The real destination appears in the corner. That’s where the click actually goes.
  • On a phone, long-press the link (don’t tap) to see the preview.
  • Any short link (bit.ly, t.co, etc.) inside crypto content should be treated as suspicious by default — its entire job is to hide the real destination.

Quick mantra: what is shown doesn’t count, what it jumps to does.

Move 4: Always enter through a trusted door

The most common script: you’re scrolling X, you see an “urgent project announcement” with a claim link. You click. The page looks like the official site, the sign button is even in the right place.

What to do: close the popup and reopen from your own bookmark.

  • A real campaign will also be linked from the official homepage. If it isn’t there, it’s fake.
  • A real support agent never DMs you first. The story behind that pattern lives in fake support scam.
  • A real airdrop never asks for your seed phrase or a one-click unlimited approval.

Picture “trusted entry” as your front door. Use the door, not the window.

Move 5: Read the signature popup line by line

The dangerous step is rarely “click the link”. It’s “sign the wrong thing”. Even if you missed the domain trick, the signature preview is the last line of defence.

What to check:

  • The origin domain the signature names — does it match what you see in the browser? MetaMask and similar extensions display the real requester.
  • The allowanceunlimited or astronomical numbers are red flags.
  • The destination address — is it a random address you’ve never seen?
  • The action type — a plain transfer is much safer than setApprovalForAll, permit, or signTypedData, which are high-risk by nature.

Approval phishing has caused some of the largest single-victim losses in recent years. Approval phishing breaks down the most common traps. One pause before you tap “confirm” blocks most of these losses.

A wallet signature popup on a phone, highlighted permission lines, a finger hesitating above the confirm button

Move 6: Read the action out loud

It sounds silly. It works. Right before signing, narrate what you’re doing in plain language:

“I’m on xxx.com and I’m about to approve the xxx contract to move unlimited USDT from my wallet.”

The moment you say it, your brain catches the parts that don’t fit. The whole point is to break autopilot tapping. Beginners get hit hardest on the third or fourth signature of a session — the earlier ones worked, so the finger gets quick. That habit is exactly what phishing pages target.

A fast decision table

What you see What to do immediately
Link inside an email Don’t click. Open your bookmark instead.
Top “Ad” result Skip it. Scroll past.
Support DM you didn’t start Assume fake. Close it.
One-click unlimited approval Reject the signature.
Short link or QR code Suspicious until proven otherwise.
Slightly odd spelling in the domain Bail out and verify from official sources.

A few habits to leave you with

  • Keep the sites you use in the first row of your bookmark bar. Make “open from bookmark” your reflex.
  • Split your funds into a small hot wallet and a larger cold vault. Even if a phishing site catches you, the damage stays small.
  • Before every signature, ask yourself: does this step really need an approval?
  • For a fuller defence stack, go through basic crypto security habits and stitch these small moves into one routine.

Phishing isn’t going away. But the cost of catching it is tiny — two extra seconds on the address bar, one extra line said out loud before signing. That two-second pause is what separates a beginner from someone who’s been here long enough to keep their funds.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Myths

Why Nine Out of Ten 'Insider Tips' Are Traps

"I have insider info" is the cheapest and most common opening line in crypto. Strip away the packaging and the real structure is almost never sharing — it's a carefully designed exit-liquidity funnel.

 Exchange Safety

Why Is Storing Crypto Long-Term on an Exchange So Risky? Lessons Before the Next Blow-Up

Leaving coins on an exchange is convenient and looks normal. But "long-term" on an exchange is a thing that has blown up repeatedly in this industry. This article lays out why it remains unsafe.

 Mindset & FOMO

Why You Should Not Flex Your PnL in Telegram Groups, and What It Actually Costs You?

Posting a PnL screenshot in a TG group feels like 5 seconds of pride, then 5 minutes of peer attention, then potentially 5 months of being targeted, copied, or kidnap-budgeted. This piece splits "why not to flex" into four layers — security, mindset, social, execution — and shows the bill on each.

 Asset Security

What the $284M Trezor Phishing Wave Teaches Hardware Wallet Users

The early-2026 Trezor phishing wave drained roughly $284M without breaking a single chip. It stole something simpler — users' trust in "official" email. Here is how the chain worked and what to do about it.

 Asset Security

Is My Wallet Actually Safe? How to Run a Thorough Self-Audit on Your Own

Most people only feel their wallet is "probably fine" and never sit down to verify. This article walks through a self-audit you can run alone — covering seed phrases, approvals, signatures, devices and asset distribution.

 Asset Security

Your Exchange KYC Data Got Leaked — Now What?

You wake up to find you're on yet another exchange KYC leak list. What to do in the first hours, what defenses to build long-term? This piece is an ordered checklist focused on "protect assets first, identity next, habits last."